rds_ssm_connect 1.8.2 → 1.8.3

package/connect.js

@@ -14,7 +14,7 @@ import {
 } from './configLoader.js'
 
 // Package info for version checking
-const packageJson = { name: 'rds_ssm_connect', version: '1.8.1' }
+const packageJson = { name: 'rds_ssm_connect', version: '1.8.3' }
 
 const execAsync = promisify(exec)
 
@@ -28,8 +28,9 @@ const RETRY_CONFIG = {
   PORT_FORWARDING_MAX_RETRIES: 2,
   SSM_AGENT_READY_WAIT_MS: 10000,
   KEEPALIVE_INTERVAL_MS: 4 * 60 * 1000,
-  AUTO_RECONNECT_MAX_RETRIES: 50,
+  AUTO_RECONNECT_MAX_RETRIES: 3,
   AUTO_RECONNECT_DELAY_MS: 3000,
+  CREDENTIAL_CHECK_TIMEOUT_MS: 60000,
 }
 
 // Version check configuration
@@ -170,6 +171,21 @@ async function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms))
 }
 
+// Pre-flight credential check. Uses a short timeout so that if aws-vault
+// needs to open a browser for SSO re-auth (which blocks indefinitely), the
+// command is killed before any browser tab appears.
+async function checkCredentialsValid(profile, region) {
+  try {
+    await execAsync(
+      `aws-vault exec ${profile} -- aws sts get-caller-identity --region ${region}`,
+      { timeout: RETRY_CONFIG.CREDENTIAL_CHECK_TIMEOUT_MS },
+    )
+    return { valid: true }
+  } catch (_error) {
+    return { valid: false }
+  }
+}
+
 // Keepalive: periodic TCP ping through the tunnel to prevent SSM idle timeout.
 // Each connection attempt generates traffic on the SSM WebSocket channel,
 // resetting the server-side idle timer (default 20 min).
@@ -712,6 +728,18 @@ async function connect(projectKey, profile, options = {}) {
 
         if (manualDisconnect) break
 
+        // Verify credentials are still valid before retrying.
+        // Avoids opening browser SSO tabs when the user is away.
+        emit('status', { message: 'Checking credentials...' })
+        const credCheck = await checkCredentialsValid(profile, region)
+        if (!credCheck.valid) {
+          emit('status', {
+            message:
+              'AWS credentials expired. Please re-authenticate and reconnect.',
+          })
+          break
+        }
+
         // Re-discover infrastructure (bastion may have been replaced by ASG)
         emit('status', { message: 'Finding bastion instance...' })
         currentInstanceId = await findBastionInstance(profile, region)
@@ -744,6 +772,16 @@ async function connect(projectKey, profile, options = {}) {
 
         if (manualDisconnect) break
 
+        // Verify credentials before retrying (same check as happy path)
+        const credCheckOnError = await checkCredentialsValid(profile, region)
+        if (!credCheckOnError.valid) {
+          emit('status', {
+            message:
+              'AWS credentials expired. Please re-authenticate and reconnect.',
+          })
+          break
+        }
+
         try {
           currentInstanceId = await findBastionInstance(profile, region)
           currentRdsEndpoint = await getRdsEndpoint(profile, projectConfig)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rds_ssm_connect",
-  "version": "1.8.2",
+  "version": "1.8.3",
   "type": "module",
   "repository": {
     "type": "git",

package/test/connect.test.js

@@ -180,6 +180,8 @@ describe('Retry Configuration', () => {
       BASTION_WAIT_RETRY_DELAY_MS: 15000,
       PORT_FORWARDING_MAX_RETRIES: 2,
       SSM_AGENT_READY_WAIT_MS: 10000,
+      AUTO_RECONNECT_MAX_RETRIES: 3,
+      CREDENTIAL_CHECK_TIMEOUT_MS: 60000,
     }
 
     assert.ok(
@@ -198,5 +200,14 @@ describe('Retry Configuration', () => {
       RETRY_CONFIG.SSM_AGENT_READY_WAIT_MS > 0,
       'SSM wait should be positive',
     )
+    assert.ok(
+      RETRY_CONFIG.AUTO_RECONNECT_MAX_RETRIES > 0 &&
+        RETRY_CONFIG.AUTO_RECONNECT_MAX_RETRIES <= 10,
+      'Auto-reconnect retries should be between 1 and 10',
+    )
+    assert.ok(
+      RETRY_CONFIG.CREDENTIAL_CHECK_TIMEOUT_MS >= 5000,
+      'Credential check timeout should be at least 5 seconds',
+    )
   })
 })